For one our Customer running PA 3200 Series in HA having GP License ( HIP checks)
Currently the GP Portal and Gateway have common Interface . The GP URL is vpn.connection.it ( sample name)
The requirement is that
Internal Users use the URL : internal.vpn.connection.it
External Users(Partners) use the URL : external.vpn.connection.it
The Users are part of different user groups .
So can we achive this using the same ( Single Public ) IP address or do we need two Public IP address
We can to use different HIP profiles for Internal and External users .
Do we need to create two different tunnel interface or loopbacks ? or two different gateways ?
Solved! Go to Solution.
Hey @FWPalolearner ,
I understand that you use loopback for GP portal and gateway and use NAT to translate the public to the loopback. I still don't understand why you do this way instead of use the eth1/1 in the GP portal and gateway on first place.
But let discuss the other point - "But I can still create a gateway with same loopback" even if you somehow manage to use same interface/ip on multiple gateway you should receive error during commit. Think about it - all comes done to sockets, creating GP gateway will create TCP socket which FW will listen for connections. Sockets consists of ip and port and you can have different services/application on different combination of ip and port. If you create second GP gateway you need to create second socket and since you cannot use different port (always using the standard port for SSL or IPSec) the only part you can change is the ip. Assigning same int and ip to both GP gateways will try to create two exactly the same sockets which will generate commit error.
And the same concept for the sockets apply for your NAT rules. I assume that you have NAT rule says "any public source to dest x.x.x, nat to any public source to dest 192.168.1.75". If you create second NAT rule similar to above, but with dest 192.168.1.76, the second nat will never hit (because the first math will be applied). Again you can play with ports as GP doesn't allow you change default ports, so the only way for the fw to apply the different nat rules is to use source ip address as matching criteria, but this defied the purpose of remote access vpn, because you will need to know from which public ip will the users connect.
you can achive this with configuring an Internal Gateway and an external Gateway and one or two portal, the Internal Gateway is an interface on your internal Network, External Gateway accessed from Outside normally out from internet (Public-IP) - Tunnel interface required here.
for more information check these out
Thanks for your reply
We are already have an Internal gateway which is being used currently only by Internal users when they are in Corporate network
The goal is this exercise is when Users connect to the GP outside of the company network ( internet or at home)
All the Corporate Users should use the URL internal.vpn.X . Different HIP profile , different IP Pool . different zone and different rules
All the Non Corporae users should use the URL external.vpn.X . Different HIP profile , different IP Pool . different zone and different rules
So my Query is whether we need two Tunnel Interfaces( One for each external Gateway) and two Loop backs ( one for each Portal )
So do i have to create two external gateways using two different loopbacks
and in the Portal settings define difference Address( FQDN) ?
Also , do i need two Public IPs ? or 1 can solve the purpose
then what you need is 2 external gateways, two tunnels, two public Ips.
another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed .
Hi @FWPalolearner ,
I suggestion is to always avoid multiple ip address on same interface like you would avoid a plague/covid. I cannot claim I have deploy lots of GPs, but I haven't yet saw a real need to configure multiple portals on single device, so I will try to avoid such setup as well.
As @Abdul-Fattah mentioned you can provide single portal and once the user authenticate you can have group/user base separation (have different ip pool, dns, access etc for each user group). This would be the easiest way to have complete separation between internal users and contractors/3rd-party. The problem with this approach is that both type of users will need to use same authentication type. You can use different domain for user authentication, but the the type (LDAP, RADIUS, etc) must be the same for both (if you use mfa over radius you can be creative, but it is up to the mfa and not the fw). And as you can imagine both type of users will use the same vpn address.
If you really want internal users to use one address and contractors/external user to use completely different address - the only way to achieve this is to have second portal/gateway. As mentioned I would avoid secondary IP, instead I would recommend to use loopback (configure loopback with public ip, put it in untrust/outsie zone and use it for the gp portal and gw).
The only benefit I can think of is that you can apply different authentication type for each user group, so it is interesting for me to understand the reason why you need separate addresses
Thanks for your inputs ; really appreciate
The Customer requirement is to use two different URLs . I understand that we use different user groups but user groups are already in place
thre requirement is to have different URL and Different Portal
So what i understood , we need below on PA cluster - can you please confirm :
1) two GP Gateways with two Loopbacks ? two GP portals - where in - for one we define the URL for external and for other the internal one
2) two tunnel interfaces , two loopbacks - with different IPs
3) two zones - one for Internal and one for external ?
I still have doubt, why cant we use the same Public IP as we can make both DNS entries to resolve to same IP
two domains resolving to same IP, for palo alto you are using only one IP. the Firewall does not care about Public-domains. as i mentioned earlier :
"another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed ."
and for portal you change nothing.
Hey @FWPalolearner ,
You can setup both DNS records to resolve to same IP, but:
- First you need to apply wildcard certificate on the portal or use certificate with SAN (subject alternative names)
- Even the users are pointed to different addresses they are still ended on the exact same portal, so they will be prompted with exact same authentication. This really annoys me with GP portal, there is no way to use multiple authentication realms and provide a way for the user to select/navigate to required auth realm.
So as long as you will use the same authentication type (LDAP, radius, etc) for all users (external and internal) you should be fine using two DNS records pointing to the same ip and having one portal. The important think here is the SSL certificate that will be used for the portal - either it must be wildcard (to match both urls) or it must list both in SAN (subject alternative names).
Your really don't need two gateways. You can use same gateways for both external and internal users, and using user group to apply different settings. The problem is again with the address, however during GP portal config you can specify different gateway addresses for each user group. So you can actually the exact same DNS records that you are using for the portal. And for the GP gateway you need to use the same SSL certificate (either wildcard or with SAN)
you can leverage "authentication-sequence" and select multiple authentication types/profiles (LDAP,Radius,Local..) and use it for Portals and Gatways.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!